The key to success in this DoS attack is the Transmission Control Block (TCB). The TCB is a data set of structures in operations systems that holds all the information about a connection. Each TCB > 280 bytes, and can exceed 1300 bytes in other operating systems. After the first part of the 3-way hand-shake is finished, the connection is only half-open. TheIt is very important to note is that the TCB is already allocated based on reception of the SYN packet— before the connection is fully established.
A flood of incoming SYN requests can cause the allocation of so many TCBs such that a host's kernel memory becomes exhausted. Although there is a backlog mechanism in most operating systems, this can easily be filled up. Thus, new requests cannot be served until some TCBs can be freed up from the half open connection state.
Since TCP protocol is designed for reliability, the target host tends to wait for a long time with the half-open connections, until the 3-way handshake is completed.
More on this article right here from Cisco.
